下载下来就一个文件,里面全是0101和一些字符。
搜索哈夫曼,了解到哈夫曼压缩时用到的哈夫曼树
。
猜测下面的字符代表频率。
哈夫曼树建立过程如下
哈夫曼编码
。
flag{
开头,所以前几个字符的哈夫曼编码可以确定下来。
flag{ddf5dfd0f05550500a5af55dd0d5d0ad}
flag{55fd5f50f0ddd0d00adafdd5505d50a5}
有三个flag,三段加密。
加密如下
gmpy2
库可以对大整数开根号。
import gmpy2
import libnum
c = 9217979941366220275377875095861710925207028551771520610387238734819759256223080175603032167658086669886661302962985046348865181740591251321966682848536331583243529
m = gmpy2.isqrt(c)
m = int(m)
m_text = libnum.n2s(m)
print(m_text)
得到flag1flag1{Th1s_i5_wHat_You_ne3d_FirsT}
加密过程是DES-ECB-PKCS5,密钥是随机的8字节的大写字母
DES ECB(电子密本方式)其实非常简单,就是将数据按照8个字节一段进行DES加密或解密得到一段段的8个字节的密文或者明文,最后一段不足8个字节(一般补0或者F),按照需求补足8个字节进行计算(并行计算),之后按照顺序将计算所得的数据连在一起即可,各段数据之间互不影响。
填充使用的是PKCS5,就是全部填充到8字节,后面缺几位就填几
如:后面缺4个字节,就填04040404;
8个字节都是空,就填0808080808080808
该算法对很多行明文按行分开加密,密钥是8字节,ECB加密是8字节一组,如果遇到空的8字节,就会出现填充后明文为0808080808080808与密文段进行异或。
截取各行密文的后8字节,统计发现ea9c3c12181a1e82
和16d0aa455a272fde
都出现过多次。
将密文放进hashcat进行爆破
hashcat64.exe -a 3 -m 14000 d33ad316eb246e5c:0808080808080808 -w 3 -O ?u?u?u?u?u?u?u?u
hashcat64.exe -a 3 -m 14000 ea9c3c12181a1e82:0808080808080808 -w 3 -O ?u?u?u?u?u?u?u?u
JFRYOMPR
然后解密脚本如下
from pyDes import *
Des_Key = "JFRYOMPR"
def DesDecrypt(str):
k = des(Des_Key, ECB, pad=None, padmode=PAD_PKCS5)
DecryptStr = k.decrypt(str.decode('hex'))
return DecryptStr
with open('enc.txt','r') as fe:
for line in fe.readlines():
print DesDecrypt(line.strip('\n'))
得到flag2flag2{Fuck_Y0u_cAn_Ge7_Se3ond}
再看最终的flag
用的是rsa加密
n放到factordb无法解密
e也足够大
这里的加密用了类似于CBC的方式,区别在于先加密再异或
但分组长度过短,2字节一组
所以可以构建一个明文于密文的对应字典,通过查找的方式找回原文
且由于是先加密后异或,所以可以从后往前按顺序找出每个分组异或前的加密结果
解密脚本如下
#!usr/bin/env python
# -*- coding: utf-8 -*-
import base64
import binascii
import string
import libnum
from Crypto.Util import number
from Crypto.Util.strxor import strxor
n=0x834b44a67ea419e1c3e665cedf7790ebc5fb013e2304861b667232e7ec1cae53eb253639b348a6702561671a5c5c9105eacd5d48de51427fc49f22ed2d9b60f98c50713ac95f2ac324fa58b90e0c07ab688becb771d92224be68474586376a4cd9a0ea96d5584184cbb7ad3889fd6c1a4ae3791e67a4ee6f220491abbbda2006addc6032999238cc010df759c868485522ee17e520569b7e746b0c770065f4622894afcfd46257b7c3646f15d65d561ab8e22e4f03cfbfa53ec4109115feeced84c398286bb79c58a7d640a2faec2c50285558d6b11d8ebc25eae6ece9c418dd795c0c11f459c815582c059935028cafb09b6603cc44a48f3823d0aeda73fec7
e=0x9ae923
c=""
c_dec = base64.b64decode(c).strip()
#一开始iv有256位 每加密一个分组增加256位
length = len(c_dec)/256
#找出每组密文异或前的内容
c_list = []
for i in xrange(length,1,-1):
c_list.insert( 0, strxor( c_dec[(i-1)*256:i*256], c_dec[(i-2)*256:(i-1)*256] ) )
#构建爆破字典
dic = []
for i in range(0,0xffff):
m = str(hex(i)[2:]).rjust(4,'0')
qqq = number.bytes_to_long(m)
www = pow(qqq, e, n)
eee = binascii.unhexlify('%.512x' % www)
dic.append(eee)
#开始反查
m_hex = ""
for i in c_list:
if i in dic:
m_hex += hex(dic.index(i))[2:].rjust(4,'0')
else:
print "not found"
print m_hex
flag1 = int('flag1{Th1s_i5_wHat_You_ne3d_FirsT}'.encode('hex'),16)
flag2 = int('flag2{Fuck_Y0u_cAn_Ge7_Se3ond}'.encode('hex'),16)
m_num = libnum.s2n(binascii.unhexlify(m_hex))
m_num /= flag1*flag2
print libnum.n2s(m_num)
得到结果
10652cdf92fb9032a2e4c699448e3ca4ca266a667ccc5af2c95fae7f6de79fcd1fa52cfe72ee7fa3ab90a58c0c2310cfcc42dab372cd17cd0c8282834211d3bbd86324d4b7cb7bb279e6c34876ef259d3357ab66186e0bfe0c5db9c5a7067622dcbc06a42265
flag{64b60d7c2ddcf37f8d50358be1c35f45}
迪杰斯特拉算法
。
networkx
,里面自带迪杰斯特拉算法。
import networkx as nx
import matplotlib.pyplot as plt
G=nx.Graph()
G.add_edge('FloraPrice','E11',weight=1)
G.add_edge('FloraPrice','E9',weight=1)
G.add_edge('FloraPrice','75D}',weight=1)
G.add_edge('NoraFayette','E11',weight=1)
G.add_edge('NoraFayette','E10',weight=1)
G.add_edge('NoraFayette','E13',weight=1)
G.add_edge('NoraFayette','E12',weight=1)
G.add_edge('NoraFayette','E14',weight=1)
G.add_edge('NoraFayette','E9',weight=1)
G.add_edge('NoraFayette','E7',weight=1)
G.add_edge('NoraFayette','E6',weight=1)
G.add_edge('E10','SylviaAvondale',weight=1)
G.add_edge('E10','MyraLiddel',weight=1)
G.add_edge('E10','HelenLloyd',weight=1)
G.add_edge('E10','KatherinaRogers',weight=1)
G.add_edge('VerneSanderson','E7',weight=1)
G.add_edge('VerneSanderson','E12',weight=1)
G.add_edge('VerneSanderson','E9',weight=1)
G.add_edge('VerneSanderson','E8',weight=1)
G.add_edge('E12','HelenLloyd',weight=1)
G.add_edge('E12','KatherinaRogers',weight=1)
G.add_edge('E12','SylviaAvondale',weight=1)
G.add_edge('E12','MyraLiddel',weight=1)
G.add_edge('E14','SylviaAvondale',weight=1)
G.add_edge('E14','75D}',weight=1)
G.add_edge('E14','KatherinaRogers',weight=1)
G.add_edge('FrancesAnderson','E5',weight=1)
G.add_edge('FrancesAnderson','E6',weight=1)
G.add_edge('FrancesAnderson','E8',weight=1)
G.add_edge('FrancesAnderson','E3',weight=1)
G.add_edge('DorothyMurchison','E9',weight=1)
G.add_edge('DorothyMurchison','E8',weight=1)
G.add_edge('EvelynJefferson','E9',weight=1)
G.add_edge('EvelynJefferson','E8',weight=1)
G.add_edge('EvelynJefferson','E5',weight=1)
G.add_edge('EvelynJefferson','E4',weight=1)
G.add_edge('EvelynJefferson','E6',weight=1)
G.add_edge('EvelynJefferson','E1',weight=1)
G.add_edge('EvelynJefferson','E3',weight=1)
G.add_edge('EvelynJefferson','E2',weight=1)
G.add_edge('RuthDeSand','E5',weight=1)
G.add_edge('RuthDeSand','E7',weight=1)
G.add_edge('RuthDeSand','E9',weight=1)
G.add_edge('RuthDeSand','E8',weight=1)
G.add_edge('HelenLloyd','E11',weight=1)
G.add_edge('HelenLloyd','E7',weight=1)
G.add_edge('HelenLloyd','E8',weight=1)
G.add_edge('OliviaCarleton','E11',weight=1)
G.add_edge('OliviaCarleton','E9',weight=1)
G.add_edge('EleanorNye','E5',weight=1)
G.add_edge('EleanorNye','E7',weight=1)
G.add_edge('EleanorNye','E6',weight=1)
G.add_edge('EleanorNye','E8',weight=1)
G.add_edge('E9','TheresaAnderson',weight=1)
G.add_edge('E9','PearlOglethorpe',weight=1)
G.add_edge('E9','KatherinaRogers',weight=1)
G.add_edge('E9','SylviaAvondale',weight=1)
G.add_edge('E9','MyraLiddel',weight=1)
G.add_edge('E8','TheresaAnderson',weight=1)
G.add_edge('E8','PearlOglethorpe',weight=1)
G.add_edge('E8','KatherinaRogers',weight=1)
G.add_edge('E8','SylviaAvondale',weight=1)
G.add_edge('E8','BrendaRogers',weight=1)
G.add_edge('E8','LauraMandeville',weight=1)
G.add_edge('E8','MyraLiddel',weight=1)
G.add_edge('E5','TheresaAnderson',weight=1)
G.add_edge('E5','BrendaRogers',weight=1)
G.add_edge('E5','LauraMandeville',weight=1)
G.add_edge('E5','CharlotteMcDowd',weight=1)
G.add_edge('E4','CharlotteMcDowd',weight=1)
G.add_edge('E4','TheresaAnderson',weight=1)
G.add_edge('E4','BrendaRogers',weight=1)
G.add_edge('E7','TheresaAnderson',weight=1)
G.add_edge('E7','SylviaAvondale',weight=1)
G.add_edge('E7','BrendaRogers',weight=1)
G.add_edge('E7','LauraMandeville',weight=1)
G.add_edge('E7','CharlotteMcDowd',weight=1)
G.add_edge('E6','TheresaAnderson',weight=1)
G.add_edge('E6','PearlOglethorpe',weight=1)
G.add_edge('E6','BrendaRogers',weight=1)
G.add_edge('E6','LauraMandeville',weight=1)
G.add_edge('E1','LauraMandeville',weight=1)
G.add_edge('E1','BrendaRogers',weight=1)
G.add_edge('E3','TheresaAnderson',weight=1)
G.add_edge('E3','BrendaRogers',weight=1)
G.add_edge('E3','LauraMandeville',weight=1)
G.add_edge('E3','CharlotteMcDowd',weight=1)
G.add_edge('E3','flag{',weight=1)
G.add_edge('E2','LauraMandeville',weight=1)
G.add_edge('E2','TheresaAnderson',weight=1)
G.add_edge('KatherinaRogers','E13',weight=1)
G.add_edge('E13','SylviaAvondale',weight=1)
nx.draw(G,pos = nx.random_layout(G),node_color = 'b',edge_color = 'r',with_labels = True,font_size =18,node_size =20)
plt.savefig("wuxiangtu.png")
plt.show()
rs=nx.dijkstra_path(G,'flag{','75D}')
print(rs)
运行结果如下
参考链接
西湖论剑2019 WriteUp -梅子酒的书札